Sunday, January 22, 2017

Internet Explorer XSS Filter Bypass for POST with PDF

IE XSS Filter Bypass with PDF

I recently discovered an interesting issue in Internet Explorer regarding bypassing the XSS filter, which I am going to share with you.

Once again, assume the following scenario. The website on example.com suffers from a reflected XSS vulnerability in a POST payload:

test.php

<h1>xss test</h1><?phpecho$_POST['xss'];?><div>end</div>

Assuming the web page sets all the necessary headers, a post payload like xss=<script>alert(1)</script> will trigger the XSS filter and be caught.

Let's bypass this restriction:

PDF - SubmitForm Action

The PDF specification describes the SubmitForm action, which allows PDF to submit the AcroForm in different formats. One of the possible formats is HTML. Additionally it is possible to specify if a GET or POST request should be used. The response is rendered in the web browser.

While playing with the feature I discovered that Internet Explorer will never trigger the XSS filter for sent POST requests. This allows to abuse a reflected XSS vulnerability with any payload, without worrying about the XSS filter.

The following PDF will automatically submit a POST request to http://example.com/test.php. The payload contains xss=<script>alert(1)</script>:

Just try it yourself. If you have any question, feel free to contact me on twitter.
To stop the attack from working, you need to enable Protected View: https://helpx.adobe.com/reader/using/protected-mode-windows.html